The Health Insurance Portability and Accountability Act of 1996 (HIPAA, Title II) addressed the security and privacy of healthcare data. Details of the provisions of HIPAA are included at the CMS website. Security involves the protection of protected health information from unauthorized release or theft. For electronic records, this includes not only physical security, but also electronic security. The standards include password protection, periodic password changes, restriction of data access to only that required for the performance of assigned tasks and network security.
The American Recovery and Reinvestment Act (ARRA) of 2009 expanded some HIPAA requirements. Most notably, it created a requirement that patients be notified of any unauthorized release of their protected health information. Electronic security would be expected to be part of the EHR system, and also to protect the computer network to which it is connected. Compliance in implementing and using these security mechanisms remains the responsibility of the physician practice. It is prudent to ensure that the EHR vendor is contractually obligated to incorporate these security measures into the system you purchase, and to include training in its use in their start-up training. Be sure to check on the liability coverage needed to protect your new EHR system; your practice may need to expand its general liability coverage. Check with your general liability carrier and EHR vendor.
• AmericanEHR Partners info on Privacy and Security
• The Health Information Security and Privacy Collaboration Toolkit
• NIH U.S. National Library of Medicine: Privacy/Security and Research with Electronic Health Records
These links are for research only. They are not endorsed by The American Academy of Allergy, Asthma & Immunology (AAAAI).